Access control in Visma Business

There are multiple layers for access control in Visma Business produktlinjen solution. On top of the hierarchy is the license. The license determines which products and modules are available for use. Each customer-license might require multiple license keys depending on the products which are part of the license. In the Visma Business context, access control is handled the following way:

  • The license determines the modules which can be set on a user in the Bruker table.

  • The access groups represent a set of functional access rights; for example “Insert, read and update for the order table”; however that requires that you have a module which allows you to do order handling.

  • Layouts represent an additional way of constraining access. A layout contains a set of tables/fields which are visible to the user; layouts can be connected to users, layout groups, companies and company groups.

The combination of all three levels gives an administrator the tools to build up the access control needed to run the business.

The concept of access groups in Visma Business works the following way. Per default a user has access to everything. An administrator can add restrictions to tables, columns and functions. An access group can be connected directly to a user in the Bruker table, or to a user in the context of a company. The Brukeradgang table is used to store combinations of user, company and access group. A user can have different access rights depending on the company.

Visma Business follows the concept of intersection. A user connected to two access groups had access to the intersecting part of both access groups. Other products in Visma Business produktlinjen do not apply the concept of intersecting access rights. They apply the concept of combining all assigned access rights (union). For example, adding multiple roles to a user in Visma Document Center will increase the functional access for that user.

The Visma User Directory is the desired access control application for Visma Business produktlinjen. It provides one place to configure access to various applications and it enables single sign on across product line products (including cloud services). Maintaining the users, companies and roles/access groups will be done in VUD, after enabling VUD login for the product line products.

Using two different concepts (intersection and union) for aggregating access rights will make it difficult for administrators. Since version 9.00.0 of Visma Business it is possible to change the concept in Visma Business from the intersection principle to the union principle. Then all applications will be handled the same way.

The option Aggregerte adgangsrettigheter når VUD benyttes (i stedet for snitt av rettigheter) was added in the Systemoppl.behandl. field in the Systemopplysninger table. During the upgrade process to version 9.00.0 the option is automatically set for each existing installation to keep the old way of handling access rights (backwards compatibility).

Merk: The option is only taken into consideration if the VUD integration is enabled.
Merk: Access groups are created in VUD but still defined in Visma Business as they have always been.

Example:

  • One user: User1

  • Three access groups: Access_group_1, Access_group_2, Access_group_3

  • Two companies: Company_1, Company_2

Tabell 1. Bruker table
User1 Access_group_2
Tabell 2. Adgangsgruppe table
Access_group_1 Full access to all tables, columns and functions
Access_group_2

Full access to the following tables:

  • Ordre

  • Ordrelinje

  • Aktør

Nothing else is accessible

Access_group_3

Full access to the following tables:

  • Bunt

  • Bilag

  • Aktør

Nothing else is accessible
Tabell 3. Brukeradgang table
User1 Company_2 Access_group_3

The current setup shows that Access_group_1 is not assigned to any user; in the Bruker table we assign Access_group_2 to User1; that means User1 has full access to exactly three tables, the Ordre table, the Ordrelinje table and the Aktør table. No other table is accessible for User1.

The Brukeradgang table is used to grant different access rights to users for different companies. Without any entry in that table, User1 would have access rights from Access_group_2 for all companies (Company_1 and Company_2). The Brukeradgang table entry stated above adds an additional access group (Access_group_3) to User1 for Company_2.

User1’s actual access rights for Company_2 depend on the setting Aggregerte adgangsrettigheter når VUD benyttes (i stedet for snitt av rettigheter).

Tabell 4. Comparison of two scenarios. In the left column we see the old handling of access aggregation (intersection of access); on the right side we see the new handling of access aggregation (union of access)
Old way of access handling New way of access handling (recommended)
Aggregerte adgangsrettigheter når VUD benyttes (i stedet for snitt av rettigheter) = disabled

Aggregerte adgangsrettigheter når VUD benyttes (i stedet for snitt av rettigheter) = enabled

User name Company Access rights
User1 Company_1 Access_group_2

Full access to the following tables:

  • Ordre

  • Ordrelinje

  • Aktør

Nothing else is accessible
User name Company Access rights
User1 Company_1 Access_group_2

Full access to the following tables:

  • Ordre

  • Ordrelinje

  • Aktør

Nothing else is accessible
User name Company Access rights
User 1 Company_2 Access_group_2 and Access_group_3

Full access to:

  • Ordre

  • Ordrelinje

  • Aktør

intersecting with full access to:

  • Bunt

  • Bilag

  • Aktør

The only intersecting/common table in this scenario is the Aktør table; that means User1 has only access to the Aktør table for Company_2

User name Company Access rights
User 1 Company_2 Access_group_2 and Access_group_3

Full access to:

  • Ordre

  • Ordrelinje

  • Aktør

union with full access to:

  • Bunt

  • Bilag

  • Aktør

Now the user has access to the union of both access groups; that means User1 has now access to the following tables for Company_2:

  • Ordre

  • Ordrelinje

  • Bunt

  • Bilag

  • Aktør

Visma Business follows the concept of intersection. A user connected to two access groups will have access to the intersecting part of both access groups. In this example there is only one table intersecting - the Aktør table. That means the user will only have access to one single table (Aktør) for Company_2 Visma Business follows the concept of union. A user connected to two access groups will have access to the combined content of both access groups. In this example the user will have access to the Ordre, Ordrelinje and Aktør table, in addition to Bunt and Bilag table. That means the user has more access rights in Company_2 comparing to the old access handling

The benefits of using the new way of handling access groups is even more important in the context of a product line setup. The functional access of a user in VUD is the aggregation of all access groups and roles assigned to him.

We strongly recommend all customers to disable the option Aggregerte adgangsrettigheter når VUD benyttes (i stedet for snitt av rettigheter) in the Systemopplysninger table.



Vi setter pris på dine tilbakemeldinger. Send tilbakemelding til Visma på dette emnet.